• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
pagassus

I need your HELP!!! - MERGED 2

10 posts in this topic

i used hijackthis program to delete off all the hijacking programs from my computer..

 

please gimme advice on wether to delete off from this list...

 

Logfile of HijackThis v1.97.7

Scan saved at ?? 9:45:01, on 2004-05-23

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\rundll32.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\SERVICES.EXE

C:\documents and settings\administrator\local settings\temp\GZ9Zuhz.exe

C:\WINNT\system32\internat.exe

C:\WINNT\system32\wapitr.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINNT\system32\ntvdm.exe

C:\VSTASCAN\vsaccess.exe

C:\OPLIMIT\ocrawr32.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.zestyfind.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - Default URLSearchHook is missing

F1 - win.ini: run=C:\WINNT\system32\services\services.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: Vc Proc Bags - {46053DCB-37EA-F550-685F-385FFF5274B0} - C:\PROGRA~1\GREYIN~1\LiesSpam.dll (file missing)

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Folder Service ] C:\Program Files\Common Files\Services\wssdtu.exe

O4 - HKLM\..\Run: [Enumeration Service ] C:\Program Files\Common Files\Services\wsys.exe

O4 - HKLM\..\Run: [GZ9Zuhz] C:\documents and settings\administrator\local settings\temp\GZ9Zuhz.exe

O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe

O4 - HKLM\..\Run: [58Y9XRW533ENPX] C:\WINNT\system32\ZgnF.exe

O4 - HKLM\..\Run: [hqlcrkz] C:\WINNT\hqlcrkz.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [WTSS] C:\WINNT\system32\wapitr.exe

O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE

O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: AIM (HKLM)

O16 - DPF: {0C4A9D28-66B5-4A70-B915-B6AEA5112472} (Icon02 Control) - http://www.bestcode.co.kr/activex/icon02.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB

O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN.cab

O16 - DPF: {27E4B2A9-D554-40DE-B6CD-F11E9B44FBD0} (SimFileControl Control) - http://simfile.chol.com/down/SimFileControl.cab

O16 - DPF: {2882C368-D508-11D4-A2AB-000102598CE4} (LProtect Control) - http://www.livecall.co.kr/pds/module/livecall.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {4E452475-E8F6-4C26-9BA1-8105CB710199} (TvOnline Control) - http://www.everyzone.com/pcsafer/pcsafer.cab

O16 - DPF: {53F55D30-56CC-4258-8617-4A9F48E7F572} (NexgramAPIClass Class) - http://www.buddybuddy.co.kr/cab/nexweb.cab

O16 - DPF: {5BE1D8CB-0520-4763-B44A-ECFE45AB4757} (Dmmn Class) - http://wm.daum.net:7891/activex/dmmn.cab

O16 - DPF: {5DD731E6-D4F0-11D3-BE3F-00105A6FDA50} (V3ProX Control) - http://ahnlabdownload.nefficient.co.kr/plugin/myv3/myv3.cab

O16 - DPF: {90231C0E-765E-4429-8F70-F4E9A0F8D44A} (WebCtrl Class) - http://www.peeringportal.net/WebPlayerCab/...7/FandangoV.cab

O16 - DPF: {97154128-DC4C-4D5B-AF7C-CA7356238EC9} (Hanmail FileUpload Control) - http://wwl415.daum.net/hanmail-ax/HM_fileupload.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7935.6316203704

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

O16 - DPF: {F73D5D5D-04E9-44B7-A6B5-4A51482E5DF4} (ToonsXDaum Control) - http://comic.daum.net/download/ToonsXDaum.cab

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab

Share this post


Link to post
Share on other sites

Hello pagassus,

 

First I see you have the Peper trojan:

 

Download Peper Fix and run the fix.

 

Next, yes, it is common to have to be online to uninstall some programs so go ahead and do so.

 

Next, Download CWShredder Click on update, then close all browsers, and then click on Fix, not scan.

 

Next, download Spybot S&D Check for Updates first, download ALL Updates and Do a Scan. When finished, make sure ALL RED items have been ticked, and click the "Fix Selected Problems" Button.

 

Reboot the computer.

 

Run Hijackthis again and post a fresh log here.

Share this post


Link to post
Share on other sites

Plesae look over and tell me what to delete...: )

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at ?? 4:05:18, on 2004-05-24

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\rundll32.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\SERVICES.EXE

C:\documents and settings\administrator\local settings\temp\GZ9Zuhz.exe

C:\WINNT\system32\internat.exe

C:\WINNT\system32\wapitr.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\WINNT\system32\ntvdm.exe

C:\OPLIMIT\ocrawr32.exe

C:\Documents and Settings\Administrator\My Documents\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daum.net/index.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - Default URLSearchHook is missing

F1 - win.ini: run=C:\WINNT\system32\services\services.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Folder Service ] C:\Program Files\Common Files\Services\wssdtu.exe

O4 - HKLM\..\Run: [Enumeration Service ] C:\Program Files\Common Files\Services\wsys.exe

O4 - HKLM\..\Run: [GZ9Zuhz] C:\documents and settings\administrator\local settings\temp\GZ9Zuhz.exe

O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe

O4 - HKLM\..\Run: [58Y9XRW533ENPX] C:\WINNT\system32\ZgnF.exe

O4 - HKLM\..\Run: [hqlcrkz] C:\WINNT\hqlcrkz.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [WTSS] C:\WINNT\system32\wapitr.exe

O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE

O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: AIM (HKLM)

O16 - DPF: {0C4A9D28-66B5-4A70-B915-B6AEA5112472} (Icon02 Control) - http://www.bestcode.co.kr/activex/icon02.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB

O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN.cab

O16 - DPF: {27E4B2A9-D554-40DE-B6CD-F11E9B44FBD0} (SimFileControl Control) - http://simfile.chol.com/down/SimFileControl.cab

O16 - DPF: {2882C368-D508-11D4-A2AB-000102598CE4} (LProtect Control) - http://www.livecall.co.kr/pds/module/livecall.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {4E452475-E8F6-4C26-9BA1-8105CB710199} (TvOnline Control) - http://www.everyzone.com/pcsafer/pcsafer.cab

O16 - DPF: {53F55D30-56CC-4258-8617-4A9F48E7F572} (NexgramAPIClass Class) - http://www.buddybuddy.co.kr/cab/nexweb.cab

O16 - DPF: {5BE1D8CB-0520-4763-B44A-ECFE45AB4757} (Dmmn Class) - http://wm.daum.net:7891/activex/dmmn.cab

O16 - DPF: {5DD731E6-D4F0-11D3-BE3F-00105A6FDA50} (V3ProX Control) - http://ahnlabdownload.nefficient.co.kr/plugin/myv3/myv3.cab

O16 - DPF: {90231C0E-765E-4429-8F70-F4E9A0F8D44A} (WebCtrl Class) - http://www.peeringportal.net/WebPlayerCab/...7/FandangoV.cab

O16 - DPF: {97154128-DC4C-4D5B-AF7C-CA7356238EC9} (Hanmail FileUpload Control) - http://wwl415.daum.net/hanmail-ax/HM_fileupload.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7935.6316203704

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

O16 - DPF: {F73D5D5D-04E9-44B7-A6B5-4A51482E5DF4} (ToonsXDaum Control) - http://comic.daum.net/download/ToonsXDaum.cab

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab

Share this post


Link to post
Share on other sites

Thanks for your advice.

 

I did what you told me to do.

 

Now, here is my fresh log....

 

 

Logfile of HijackThis v1.97.7

Scan saved at ?? 4:05:18, on 2004-05-24

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\rundll32.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\SERVICES.EXE

C:\documents and settings\administrator\local settings\temp\GZ9Zuhz.exe

C:\WINNT\system32\internat.exe

C:\WINNT\system32\wapitr.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\WINNT\system32\ntvdm.exe

C:\OPLIMIT\ocrawr32.exe

C:\Documents and Settings\Administrator\My Documents\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daum.net/index.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - Default URLSearchHook is missing

F1 - win.ini: run=C:\WINNT\system32\services\services.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Folder Service ] C:\Program Files\Common Files\Services\wssdtu.exe

O4 - HKLM\..\Run: [Enumeration Service ] C:\Program Files\Common Files\Services\wsys.exe

O4 - HKLM\..\Run: [GZ9Zuhz] C:\documents and settings\administrator\local settings\temp\GZ9Zuhz.exe

O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe

O4 - HKLM\..\Run: [58Y9XRW533ENPX] C:\WINNT\system32\ZgnF.exe

O4 - HKLM\..\Run: [hqlcrkz] C:\WINNT\hqlcrkz.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [WTSS] C:\WINNT\system32\wapitr.exe

O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE

O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: AIM (HKLM)

O16 - DPF: {0C4A9D28-66B5-4A70-B915-B6AEA5112472} (Icon02 Control) - http://www.bestcode.co.kr/activex/icon02.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB

O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN.cab

O16 - DPF: {27E4B2A9-D554-40DE-B6CD-F11E9B44FBD0} (SimFileControl Control) - http://simfile.chol.com/down/SimFileControl.cab

O16 - DPF: {2882C368-D508-11D4-A2AB-000102598CE4} (LProtect Control) - http://www.livecall.co.kr/pds/module/livecall.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {4E452475-E8F6-4C26-9BA1-8105CB710199} (TvOnline Control) - http://www.everyzone.com/pcsafer/pcsafer.cab

O16 - DPF: {53F55D30-56CC-4258-8617-4A9F48E7F572} (NexgramAPIClass Class) - http://www.buddybuddy.co.kr/cab/nexweb.cab

O16 - DPF: {5BE1D8CB-0520-4763-B44A-ECFE45AB4757} (Dmmn Class) - http://wm.daum.net:7891/activex/dmmn.cab

O16 - DPF: {5DD731E6-D4F0-11D3-BE3F-00105A6FDA50} (V3ProX Control) - http://ahnlabdownload.nefficient.co.kr/plugin/myv3/myv3.cab

O16 - DPF: {90231C0E-765E-4429-8F70-F4E9A0F8D44A} (WebCtrl Class) - http://www.peeringportal.net/WebPlayerCab/...7/FandangoV.cab

O16 - DPF: {97154128-DC4C-4D5B-AF7C-CA7356238EC9} (Hanmail FileUpload Control) - http://wwl415.daum.net/hanmail-ax/HM_fileupload.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7935.6316203704

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

O16 - DPF: {F73D5D5D-04E9-44B7-A6B5-4A51482E5DF4} (ToonsXDaum Control) - http://comic.daum.net/download/ToonsXDaum.cab

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab

Share this post


Link to post
Share on other sites

Hello,

 

Download VX2Finder from this link:

http://tools.zerosrealm.com/VX2Finder.exe

 

 

Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

 

Copy and paste the contents of the log into your next reply here.

--------------------------------

 

Sign off and stay off the internet until the entire procedure is complete.

 

Open VX2Finder and click on the *click to find VX2.BetterInternet* button.

 

Then select the *Delete these files* button.

You will be left with notice about one to be deleted on reboot.

It will ask to reboot on deletion of the last file (Reboot)

 

-----------------

Once back in Windows

 

 

Open VX2Finder again and click on these buttons in the right pane:

 

user agent, Guardian.reg, restore policy

 

Exit and reboot.

 

Next,

 

The Peper Trojan is still there. Run the fix again, stay online when you run the fix.

 

Next, delete the contents of the "temp" folder and completely delete the cache folders.

 

Open Internet Explorer. Then click on TOOLS in the top toolbar. Click on "Internet Options..." from the drop-down menu.

A new smaller window will display. Under the "General" tab, in the middle, are 3 buttons.

Click the Delete Cookies button - then a small warning box pops up. Click OK.

Click the Delete Files button - a small warning box pops us. Check the box for "Delete all offline content" and click OK.

Then on the same General tab, click Clear History, then click OK.

 

Run HJT again and check these items and then on Fix:

 

R3 - Default URLSearchHook is missing

 

F1 - win.ini: run=C:\WINNT\system32\services\services.exe

 

O4 - HKLM\..\Run: [Folder Service ] C:\Program Files\Common Files\Services\wssdtu.exe

O4 - HKLM\..\Run: [Enumeration Service ] C:\Program Files\Common Files\Services\wsys.exe

O4 - HKLM\..\Run: [GZ9Zuhz] C:\documents and settings\administrator\local settings\temp\GZ9Zuhz.exe

O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe

O4 - HKLM\..\Run: [hqlcrkz] C:\WINNT\hqlcrkz.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [WTSS] C:\WINNT\system32\wapitr.exe

 

O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN.cab

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab

 

Reboot the computer into safe mode

 

Make sure you can view all hidden files and folders

 

Find and delete these files/folders::(if you don't find them, that is ok)

 

C:\Program Files\Common Files\Services\wssdtu.exe

C:\Program Files\Common Files\Services\wsys.exe

C:\WINNT\system32\dp-him.exe

C:\WINNT\hqlcrkz.exe

internat.exe

C:\WINNT\system32\wapitr.exe

Edited by Taz71498

Share this post


Link to post
Share on other sites

Threads merged to here, stick to just thiis one please. Hit ADD REPLY, not NEW TOPIC.

Share this post


Link to post
Share on other sites

Thanks once again.

 

here is the log.

 

Log for VX2.BetterInternet File Finder

 

Files Found---

C:\WINNT\system32\ahlui.dll

 

 

Guardian Key--- is called: GuardianULJTI

Asynchronous 000

DllName C:\WINNT\system32\ahlui.dll

Impersonate 000

Logon WinLogon

Logoff WinLogoff

Version 124

ID {9100459C-B509-4CFF-B1FC-272BB1A5C46B}

IDex BM2

 

User Agent String---

{9100459C-B509-4CFF-B1FC-272BB1A5C46B}

Share this post


Link to post
Share on other sites

Hi,

 

I got a problem from using Vx2Finder.

I selected the *Delete these files* button, but then ever since I rebooted, I'm getting these error messages from windows.

 

It's something like, an error occured running "wilgon.exe" and "rundll32.exe." files and need to reboot the system again.(im not exactly sure of the file names tho. but it was somewhat like that)

And the problem is, even tho i could still use the windows, i cant restart or turn off my computer using shut down key from the start menu. I have to press the button on my computer and have to shut it off....

 

what should i do?

Share this post


Link to post
Share on other sites

Please post a new HJT log. Those are not legit files and we will take care of those when I see your new log and see which ones to Fix.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0